TWIDS is a freeware about endpoint protection. It can filter packets by protection rules and used ET (Emerging Threats) rulesets by auto download daily. The software based on Windows NDIS, which can filter packets on NIC drivers. It can read snort rules to filter or drop packets or alarm in real-time.
It is a good software for Intrusion detection and computer forensics on Windows OS, and it identifies malicious programs conducting attacks on the application layer.
You can install software on many 32/64 bits Windows systems. (Windows XP, 2003, Vista, 7, Server 2003, Server 2008)
You can trust our software is safe, not malicious software. The software developed by the CUTe Security Lab at Taiwan. This project was funded by the Taiwan National Science Council as part of Award NSC-100-2218-E-163-001.
You can use TWIDS to detect and protect your PC by Snort rulesets, using auto-download daily. It can detect attack or abnormal packets in real-time.
Network Intrusion Detection System &
We hope you like our software, and send us a suggestion, thanks.
PS. Installed Snort on Windows need used WinPcap package, and It can't drop packet and get its application program in real time.
- Instructions for use -
TWIDS 1.6 using ET rules are enough to end users. If user want to get snort rules to filter packets by TWIDS, follow these steps to auto-download snort rules from Snort website.
. Get Snort Rules
You can use Snort Rules to filting packet by TWIDS 1.6. We put the batch files C:\TWIDS\merge-snort.bat let user to merge snort rules to TWIDS engine. Execution merge-snort.bat before get oinkcode (from snort website) and install WGET and BSDtar freewares.
1-1. Put your own oinkcode to C:\TWIDS\snort-oinkcode.txt files.
1-2. Install Wget & Bsdtar freeware about GNU to your PC.
1-3. Put fixed rules (by user defined) to C:\TWIDS\local.rules files, if you need to download snort rules by step 1-4.
1-4. Execute batch files to get snort rules on C:\TWIDS\merge-snort.bat
1. TWIDS Parser Work.
The user don't need to understand the snort rule, TWIDS can filter packet by auto-download rulesets from the ET site (botnet research community). It can work enough for normal users, but if user want to design the rulesets for itself, you can put fixed rules on TWIDS.rules on directory C:\TWIDS. You can modify daily download URLs on C:\TWIDS\TWIDS.URLs, it will auto-download rules files everyday. The software can detected the rules files changed, It will auto parser these rules files in real-time, and output C:\TWIDS\TWIDS.err file for that software can't parsing the rule line on files.
You can modify the configuration file at C:\TWIDS\TWIDS.ini to set function work in real-time. (example: stop filter function). As Snort method, you can define variables at TWIDS.var file. The software engine filter packets by rulesets and output messages to Events-$date.txt (example: Event-20120502.txt), the directory on C:\TWIDS\Logs. If you want to get more information about software parser and engine work, you can open XSSrv.txt, the directory on C:\Program files\TWIDS (windows 32bits) or C:\Program files (X86)\TWIDS (windows 64bits).
TWIDS installed NIC driver filter programs, you can get these information on NIC drivers items. If you remove these items, the filter software will lose its function.
4.Windows Messages Process.
The software filter packets on NIC driver (windows kernel mode). For the reason for performance, the XSSrv.exe will collected events in 1 minute and transfer these events to process it on windows user mode (XSAgt.exe). If user stoped process about XSSrv.exe or XSAgt.exe, the NIC driver will still filter packets, but it cannot display all messages and write to log files, even cannot download rules files from URLs.
5. NDIS Filter Architecture
For the filter performance, TWIDS are separated two kinds rulesets from the source snort rules. One ruleset is using drop packet in real-time, we process these rules on the IMD (InterMediate) layer. The other ruleset is not need to drop packet (for example: alert , pass, log) , we process these rules on Protocol driver layer. Because of the IMD layer process need to filter and decide to drop packets, so it lets filter process slower than protocol driver layer.
You can see NIC drivers on your PC, the TWIDS Filter Driver is IMD driver (Inter Mediate Driver) to drop packets, another TWIDS Protocol Driver is protocol driver to filter packets.
6. TWIDS support SNORT command options
7. TWIDS.ERR Error Code Description.
TWIDS parser can parse snort rules, but it not support all snort rule language. If parser occurred error when reading rule line, it will output messages to C:\TWIDS\TWIDS.err. You can follow error code for messages.
The software developed by Windows NDIS programs (NIC Driver filter), the function of IMD driver to drop packets, it need physical device drivers and can't operate on Virtual Machine(VM). But you still installed TWIDS for VM to filter packets on the protocol layer,so the Alert and Log function are useful.
The free software provided by CUTe Security Lab be freely distributed, provided that no charge above the cost of distribution is levied, and that the disclaimer below is always attached to it. The software are provided as is without any guarantees or warranty. Although the author has attempted to find and correct any bugs in the free software, the author is not responsible for any damage or losses of any kind caused by the use or misuse of the software. The author is under no obligation to provide support, service, corrections, or upgrades to the free software. For more information, please send and email to us.